Panopticon Labs – Making Online Gaming Safe and Fun

Did you know that the revenues of the online computer gaming industry are larger than that of the Hollywood and music industries combined? With that much money at stake, it is not the least bit surprising that online games are the targets of many, many sophisticated attacks and attempts at fraud.

As Matthew Cook, Co-Founder Product Development, of Panopticon Labs explains, the types of attacks on the gaming industry are very specific and different from general cyber-attacks. As a result, the usual security tools and techniques do not provide the required protection. In this interview, Matthew explains how gaming threats are unique and what his company has developed in order to protect against them.

I started my career in fraud and risk management at CheckFree in the late 90’s, which was one of the first services allowing banks to offer online bill payment. This gave me a front-row seat to watch the massive amount of fraud enabled by this online system. At the same time, I have always been a gamer. In the 1980’s and 1990’s, if you wanted to be a gamer you had to build your own computer.

I always looked for a way to get back into the gaming field professionally. At a certain point, after working with fraud at banks, I realized that the problems and language that game operators were using was the same that I heard in the banking industry twelve years earlier.

To quote your web site: “Panopticon Laboratories is the first and only cybersecurity company to protect online video game publishers from the financial and reputational damages that result from an in-game cyber-attack.” I have a several questions for you regarding that statement.

Sure – Go ahead.

Why is there a need for a company to focus exclusively on online video gaming security? What needs are there that the “regular” or general cyber security tools and approaches do not address?

Most people do not realize how much money is involved in gaming. Depending on whom you ask, the online gaming industry did somewhere between $85-$95 billion in business in 2016. That is more than the Hollywood and music industries combined.

The industry faces many of the same challenges of fraud that I was battling for years in the banking industry. However, since the gaming industry is not regulated, it is much easier for the bad guys to manipulate and abuse. Since so much money is at stake, hackers are becoming increasingly sophisticated and brazen in their attacks.

General cyber security tools focus on protecting things like network access, servers, passwords, and monetary transactions. What we quickly learned from game operators was that the biggest threats they face are from what happens inside the game. That is, the greatest threats that they need to detect and neutralize are from players already in the game. It is very easy to create new accounts for a game and the game operators want to stop the hackers long before they get to the monetary transaction phase.

So, that is why you specify protecting “in-game” cyber- attacks?

Exactly. Those are the most serious, and unique, threats to online gaming.

It is interesting that you mention reputational damages in addition to financial damages. Why is that?

Reputation is a financial problem. Especially in the modern world of game publishing, it has been said that reputation is all that you have. A bad experience can instantly destroy an online game.

That is why security, especially in-game security, is of such great concern to game publishers and operators. They are becoming hesitant to make (the necessary) large investments in game development, knowing how quickly hackers can wipe out their entire investment.

OK – now please describe for me you product and/or services.

We focus on multi-player games, where players compete against other players and/or function in a shared world. These are the types of games that are the most heavily monetized.

Our primary project is what we named “Watchtower” – a tool for attack research and alerts. It is based on mathematical algorithms, rather that rules and reports. We are able to detect suspicious or irregular game events and then notify the game operator.

The way we do this is by identifying the different fraud and risk scenarios based on the unique genre and other parameters of a specific game. Some of the issues and considerations include:

Hacking and Cheating

Account Takeovers

Children’s Games

Monetization Methods

We also provide the game operator with the necessary tools so that after they confirm that a suspicious player/account or session is indeed bad, they can then intervene directly from our alert. This allows all of the support staff to administer the game from a single point.

How do you define your market? Who is your specific target audience within that market?

We primarily target game operators, because they are the ones who have the financial responsibility to keep the games up and running well.

What methods do you normally use to attract and engage with new customers?

We attend many gaming conferences and meet a lot of potential customers who approach us there. We also do direct outreach to executives at both publisher and developer companies.

We have learned that it is important for us to engage with publishers and operators early in the process, even before a game goes into beta. This is because the bad guys are also taking advantage of a game’s beta period to test and refine their strategies, so our software must already be in place.

How many active customers do you have today? Where are they mainly located?

We are currently focusing on the US and Europe. The Asian market is huge, but we are not investing in that part of the world yet.

We have already worked with three very large games in the past, with as many as 13.5 million monthly subscribers. We are currently negotiating with another six very large game companies.

Whom do you see as your main competitors?

There are many security companies out there trying to rebrand or add components for the gaming industry. The problem is that these tools typically tend to focus on IT types of threats and on classical transaction (monetary) fraud detection, rather than on threats that are specific to gaming.

How do you see your tools as different and/or better than theirs?

No one besides us has tried to build an integrated, centralized, and holistic security system for gamers. The industry is currently a patchwork of different tools from a variety of vendors.

We focus on detecting if/when someone has hacked the system from inside of the game client.

How do you see security in the gaming industry evolving in the coming years?

That is an interesting question, but a tough one to answer. The bad guys will always surprise you – some of them are very, very smart and well educated. They are also constantly developing sophisticated tools and analytics.

The gaming industry really needs to figure out how to respond rapidly to malicious attacks. We need to get the response time down to days and hours, just as the financial industry has now succeeded in doing.

What are your future plans for Panopticon Labs?

We want to get as many games as possible on our platform as quickly as possible, so that we can use and share (anonymously) the data among game operators and help the industry as a whole.

This would include data such as:

Fraud and risk data

Bad game actors

Bad behavior patterns

We also plan to add the ability for greater integration with game operator platforms, such as their transaction systems. We can use our data to help the transaction system decide whether to allow the completion of a monetary transaction.

How many employees do you have today? Where are they located?

We are a very small company. We have four co-founders; three of us are located in Columbus, Ohio and one is in Baltimore Maryland. We hired many contractors to help us build the product.

I looked up the word “panopticon” – I assume that in your choice of the company name you are trying to send a message – correct?

Yes. A panopticon is a type of building designed in the late 18th century, where the design allows a single guard to observe all of the inmates of a prison without the inmates being able to tell whether they are being watched. We know that if the bad guys today know that they are being watched, they will come up with ways to overcome or avoid us. We need to be constantly watching the bad guys, without them knowing it.

How many hours a day do you normally work? What do you like to do when you are not working?

I cannot really answer that question the way you phrased it. When I am not working, I am playing games. When I am playing games, I am always analyzing and thinking. I guess I am very fortunate in that what I do for fun is also what I love to do professionally.

Jackie is leading the community relationship in vpnMentor. He is responsible for managing, editing, and developing high quality interviews with security professionals. His background includes software and website development, as well as online marketing (i.e. SEO. PPC, CPA, etc.).